1. Definitions

a) “Agreement” means the agreement executed by CrossCountry, or CrossCountry’s duly appointed representative, and Vendor or Vendor’s duly appointed representative and which incorporates this DPA by reference. 

b) “Consumer” means the resident of any state governed by applicable U.S. Data Protection Laws, as defined by the applicable U.S. Data Protection Law(s). 

c) “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et seq. and its Implementing regulations. 

d) “Data Protection and Privacy Assessment” means a written assessment intended to document the risks associated with the Processing of Personal Information and the safeguards to mitigate such risks implemented by CrossCountry and the Vendor Processing the Personal Information on CrossCountry’s behalf. For the purposes of this DPA, “Data Protection and Privacy Assessment” includes the terms “Privacy Impact Assessment,” “Data Protection Assessment,” “Risk Assessment,” and any other term used in applicable US Data Privacy Laws to define an assessment or analysis performed for such purposes. 

e) “FCRA” – means the federal Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code. 

f) “GLBA” – means the federal Gramm-Leach-Bliley Act (Public Law 106-102) and its implementing regulations.

g) “MCDPA” means the Minnesota Consumer Data Privacy Act, M.S.A. § 325M.10 et seq.

h) “MTCPA” means The Montana Consumer Data Privacy Act, MCA § 30-14-2801 et seq.

i) “OCPA” means the Oregon Consumer Privacy Act, O.R.S. § 646A.570 et. seq.

j) “Personal Information” means information, derived information or any unique identifier that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a Consumer or to a device that identifies, is linked to or is reasonably linkable to one or more Consumers in a household. “Personal Information” includes “Personal Data” as defined by applicable U.S. Privacy Laws.

k) “U.S. Data Privacy Law” or “U.S. Data Privacy Laws” means laws and regulations of the United States and its member states and territories governing the privacy and protection of Consumer Personal Information. These include, but are not limited to, the GLBA, FCRA, CCPA, OCPA, MCDPA and MTCDPA.

l) “Process,” “Processed,” or “Processing” means performing or causing the performance, automatically or otherwise, of an action, operation or set of actions or operations on personal information or on sets of Personal Information, such as collecting, using, storing, disclosing, analyzing, deleting or modifying the Personal Information.

m) “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s Personal Information by Vendor to a third party for monetary or other valuable consideration, unless pursuant to a written contract that complies with applicable U.S. Data Privacy  Laws. 

n) “Share” means, under any circumstances, sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Consumer’s Personal Information by the business to a third party for Cross–Context Behavioral Advertising, whether or not for monetary or other valuable consideration. 

o) Subprocessor – means a third-party not party to the Agreement between Vendor and CrossCountry which is engaged by Vendor to assist in the Processing of Personal Information on behalf of CrossCountry pursuant to the Agreement.

p) “Targeted Advertising” includes “Cross-Context Behavioral Advertising” as defined by the CCPA and means the targeting of advertising to a consumer based on the Consumer’s Personal Information obtained from the consumer’s activity across businesses, distinctly branded internet websites, applications, or services, other than the business, distinctly branded internet website, application, or service with which the Consumer intentionally interacts.

q) “Vendor” means the party or parties providing services pursuant to the Agreement to which this DPA is referenced as an addendum or exhibit. The definition of “Vendor” incorporates the definition of “Service Provider,” “Contractor,” “Processor,” and “Third Party” as defined in applicable U.S. Data Privacy Laws according to the terms of this DPA. 

2. Compliance with U.S Data Privacy Laws

Capitalized terms used in this DPA and not otherwise defined in the Agreement have the same meanings as defined in this DPA.  

a) Vendor acknowledges, agrees, and certifies that it has and will comply with the applicable obligations pursuant to US Data Privacy Laws.  During and after the term of the Agreement, Vendor acknowledges, agrees, and certifies that it shall Process Personal Information that it receives from CrossCountry or directly from a Consumer on CrossCountry’s behalf only as necessary to carry out the purposes set forth in the Agreement, unless expressly permitted by applicable U.S. Data Privacy  Laws.   

b) With regard to Personal Information Processed on behalf of CrossCountry, Vendor acknowledges, agrees, and certifies that it shall not:

i) Sell or Share the Personal Information Processed or use such Personal Information for the purposes of Targeted Advertising.
ii) Retain, use, or disclose such Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement, or as otherwise permitted pursuant to applicable U.S Data Privacy Laws;
iii) Combine Personal Information Processed on behalf of CrossCountry with other Personal Information collected from its own interactions with a Consumer or on behalf of another person or persons
iv) Retain, use, or disclose the Personal Information outside of the direct business relationship between the Vendor and CrossCountry provided, however, that Vendor may retain, use, or disclose such Personal Information:

(1) For Vendor’s internal use to build or improve the quality of its services provided to CrossCountry. Such permitted use does not include providing services to another business.
(2) To the extent necessary to prevent, detect, or investigate data security incidents, or protect against fraudulent or illegal activity.

3. Subprocessor

Vendor may retain and employ a Subprocessor to Process Personal Information on behalf of CrossCountry, provided that:

a) CrossCountry is provided with written notification of the engagement of such subcontractor and is provided the opportunity to object to the engagement of such Subprocessor;

b) Vendor enters into a written contract with such Subprocessor in compliance with applicable U.S. Data Privacy Laws and requires such Subprocessor to enter into a similar a written contract with any additional third-party the Subprocessor subsequently engages to assist in the Processing of Personal Information on behalf of CrossCountry pursuant to the Agreement.

4. Destruction of Information

Unless otherwise stipulated in the Agreement, Vendor shall, at the direction of CrossCountry, destroy or return to CrossCountry a Consumer’s Personal Information that Vendor has received from CrossCountry or directly from a Consumer on CrossCountry’s behalf:

a) Within thirty (30) days of a request from CrossCountry;

b) Within thirty (30) days of the termination of the specific provision of services under the Agreement for which the Personal Information was provided to Vendor; or

c) Within sixty (60) days of the termination of the Agreement unless Vendor’s retention of said Personal Information is otherwise permitted pursuant to U.S. Data Privacy Laws.

If Vendor chooses to retain Personal Information received from CrossCountry, or directly from a Consumer on behalf of CrossCountry for a permitted purpose under an applicable U.S. Data Privacy Law, Vendor must provide notice to CrossCountry along with an explanation for the reasons for such retention.

5. Assistance in Complying with U.S Data Privacy Laws

a) Vendor shall fully cooperate and assist CrossCountry in fulfilling its obligations to comply with U.S Data Privacy Laws, including, with regard to Personal Information collected on behalf of CrossCountry and which is in Vendor’s possession, by providing or granting access to such Personal Information to the extent it is reasonably necessary for CrossCountry to:

(1) Provide Consumers with a notice of the use of automated decision-making technology, as required by applicable U.S Data Privacy Laws;
(2) Conduct and document cybersecurity audits and Data Protection and Privacy Assessments including, without misrepresentation, making available to CrossCountry or its designated auditor all information in Vendor’s possession or control relevant to the conduct of such audits or assessments; and
(3) Respond to requests by Consumers to exercise their rights under applicable U.S Data Privacy Laws, including, but not limited to, the right to access, correct, delete, and limit or opt-out of the Processing of Personal Information that Vendor Processes on behalf of CrossCountry.

b) Vendor shall promptly notify CrossCountry if a Consumer submits to Vendor a request to exercise a Consumer right under any applicable U.S Data Privacy Laws with respect to the Personal Information of the Consumer that Vendor Processes or has Processed on behalf of CrossCountry. If Vendor receives such a request, it shall inform CrossCountry of the request and provide CrossCountry with all information reasonably necessary for CrossCountry to respond to the consumer request.

6. Reasonable Security Procedures and Practices

a) Vendor shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure.

b) Vendor shall ensure that each person Processing the Personal information on behalf of the Vendor is subject to a duty of confidentiality with respect to the data.

7. Audit Rights

a) At CrossCountry’s request and with reasonable notice, Vendor shall make available to CrossCountry all applicable information reasonably necessary to verify that Vendor has complied with Vendor’s obligations under applicable U.S Data Privacy Laws.

b) Vendor shall grant CrossCountry the right to take reasonable and appropriate steps to ensure that Vendor uses Personal Information Processed on behalf of CrossCountry in a manner consistent with CrossCountry’s obligations under applicable U.S Data Privacy Laws, as well as the right to stop and remediate the Vendor’s unauthorized use of such Personal Information.

i) Such reasonable and appropriate steps shall include:

(1) Permitting CrossCountry, CrossCountry’s designee, or qualified and independent person the Vendor engages, to conduct an assessment of Vendor’s policies and technical and organizational measures for complying with its obligations under applicable U.S. Data Privacy Laws in accordance with an appropriate and accepted control standard, framework or procedure; and
(2) Requiring the Vendor to cooperate with the assessment and, at CrossCountry’s request, report the results of the assessment to the CrossCountry.

8. Notification of Noncompliance

Without limiting the foregoing, Vendor shall promptly notify CrossCountry if Vendor determines it is no longer able to comply with any applicable obligations under applicable U.S. Data Privacy Laws.

9. Breach of Agreement

Any breach of the terms of this DPA may be considered a material breach of the Agreement. This DPA shall survive termination or expiration of the Agreement. 

10. Miscellaneous

a) Construction; Interpretation: This DPA is part of the Agreement and is governed by its terms and conditions (including limitations of liability set forth therein). Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

b) Severability: If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

c) Enforcement of Rights: The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.

d) Assignment: This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

e) Modification or Amendment of Terms: CrossCountry may amend or modify the terms of this DPA as needed to comply with applicable U.S. Data Privacy Laws. No modification of or amendment to this DPA will be effective unless CrossCountry provides, at the most recent point of contact provided in writing by Vendor and acknowledged in like manner by CrossCountry, written notice to Vendor of such modification or amendment of terms. Vendor may provide to CrossCountry written notice of objection to any modified or amended terms with ten (10) business days of Vendor’s receipt of written notification from CrossCountry pursuant to this paragraph. If CrossCountry and Vendor cannot arrive at an agreement regarding the modified or amended terms of this DPA, CrossCountry shall have the right to immediately terminate the Agreement.